On the application of multiple hypothesis tracking to the cyber domain

In cyberspace, attackers are becoming increasingly agile, coordinated, and advanced. In response, defenders have deployed cyber sensors in order to gain visibility into both network and host activities. However, the data generated by these sensors must be correlated to identify individual attacks. This is currently a highly manual process. Unfortunately, this approach does not scale as the number of endpoints increases, the number of networks grow, and limited skilled human analysts. Current state of the art analytic techniques have been developed to aid the human analyst in the association of sensor alerts to cyber attacks. However, these analytic systems require association decisions to be irrevocably made at the time of association. Our approach is to extend the multiple hypothesis tracking framework, from the standard kinematic domain, to the cyber domain. Combining the multiple hypothesis tracking framework with cyber association analytics will allow the formation of more accurate cyber attack tracks, reducing the computational burden currently residing on the human.